I became interested in cybersecurity while doing software development. When working as a developer, I started becoming interested in secure coding methods and what I could do to make what I was working on more secure from both a technical and end-user perspectives. I started enjoying other aspects around information security and felt that going back to graduate school and earning a computer security-specific degree would help me make the transition into a fulltime security role.

Why did you get your CCSP®?

I felt that the CCSP was a perfect match for my then current role and the environment of my employer as well as any future endeavor. Much of what involves cybersecurity in the industry today centers around cloud hosting and provisioning. I believe there is really no company that does not participate in the cloud arena in some manner, whether directly or through a supplier.

What is a typical day like for you?

Of course, there is no typical day, but I am involved in various aspects of cybersecurity ranging from incident response, risk and vulnerability assessment, project consulting, application assessment, and especially penetration testing. I am part of an Offensive Security group that conducts Red Team activities that mimic those of any potential adversary trying to circumvent security controls in place. A good portion of my day is spent trying to find potential vulnerabilities and how best to mitigate them.

Can you tell us about a personal career highlight?

I’ve been fortunate to be at some places in the past where the Security group was either non-existent or at an early stage in development when I started. This means I have been able to implement and help oversee many best practices and security frameworks without the sometimes-normal roadblocks. Implementing and ingraining security into such things as IT Security Service Catalogs, SDLC processes, internal penetration testing, mobile device management, and assisting with employee training, just to name a few.

How has the CCSP certification helped you in your career?

I believe that the CCSP has complemented my CISSP by asserting my knowledge in certain key areas that are specific to cloud environments. While the CISSP was great in giving me a baseline of common knowledge, it has been a while since I took it. The CCSP took the knowledge I had and updated it to the next level in my career. Cloud-based technologies and theory have become ubiquitous in today’s IT and cybersecurity realms.

What is the most useful advice you have for other cloud security professionals?

Non-technical knowledge and contractual due diligence is extremely important in this area. One must be cognizant of the myriad of laws and regulations that you may fall under depending on the flow and storage of data. Scrutinizing support agreements is also extremely important since the normal hands-on you may have with traditional on premise resources is not present in many cloud set-ups depending on whether it is IaaS, PaaS, or SaaS. The cloud has, in some ways, shifted the emphasis in critical skills and knowledge from just the pure technical to that of more Risk, Compliance, and Legal issues.

If you’re considering the CCSP certification, just go for it…whether you are currently working in a cloud security role or even are thinking of making the transition. The knowledge you will gain simply by going through the material will help you. In my experience, any knowledge you gain is good, whether you use it now or it comes in handy later in your career.

I became interested in cybersecurity while doing software development. When working as a developer, I started becoming interested in secure coding methods and what I could do to make what I was working on more secure from both a technical and end-user perspectives. I started enjoying other aspects around information security and felt that going back to graduate school and earning a computer security-specific degree would help me make the transition into a fulltime security role.

Why did you get your CCSP®?

I felt that the CCSP was a perfect match for my then current role and the environment of my employer as well as any future endeavor. Much of what involves cybersecurity in the industry today centers around cloud hosting and provisioning. I believe there is really no company that does not participate in the cloud arena in some manner, whether directly or through a supplier.

What is a typical day like for you?

Of course, there is no typical day, but I am involved in various aspects of cybersecurity ranging from incident response, risk and vulnerability assessment, project consulting, application assessment, and especially penetration testing. I am part of an Offensive Security group that conducts Red Team activities that mimic those of any potential adversary trying to circumvent security controls in place. A good portion of my day is spent trying to find potential vulnerabilities and how best to mitigate them.

Can you tell us about a personal career highlight?

I’ve been fortunate to be at some places in the past where the Security group was either non-existent or at an early stage in development when I started. This means I have been able to implement and help oversee many best practices and security frameworks without the sometimes-normal roadblocks. Implementing and ingraining security into such things as IT Security Service Catalogs, SDLC processes, internal penetration testing, mobile device management, and assisting with employee training, just to name a few.

How has the CCSP certification helped you in your career?

I believe that the CCSP has complemented my CISSP by asserting my knowledge in certain key areas that are specific to cloud environments. While the CISSP was great in giving me a baseline of common knowledge, it has been a while since I took it. The CCSP took the knowledge I had and updated it to the next level in my career. Cloud-based technologies and theory have become ubiquitous in today’s IT and cybersecurity realms.

What is the most useful advice you have for other cloud security professionals?

Non-technical knowledge and contractual due diligence is extremely important in this area. One must be cognizant of the myriad of laws and regulations that you may fall under depending on the flow and storage of data. Scrutinizing support agreements is also extremely important since the normal hands-on you may have with traditional on premise resources is not present in many cloud set-ups depending on whether it is IaaS, PaaS, or SaaS. The cloud has, in some ways, shifted the emphasis in critical skills and knowledge from just the pure technical to that of more Risk, Compliance, and Legal issues.

If you’re considering the CCSP certification, just go for it…whether you are currently working in a cloud security role or even are thinking of making the transition. The knowledge you will gain simply by going through the material will help you. In my experience, any knowledge you gain is good, whether you use it now or it comes in handy later in your career.

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org